绕过 PHP 过滤器的 SQL 注入

尝试了解工作中的各种 SQL 注入技术，但我陷入了以下困境。我正在尝试为以下代码编写 SQL 注入。我的目标是仅输入已知注册用户的用户名（例如：test），并附加额外的输入，绕过以下过滤器，并最终注入到最后一行的 SQL 语句中，使其为真并记录我的日志作为注册用户。我对如何绕过一系列过滤器有点迷失（尽管我猜测我可以使用空白字符的替代品来通过其中一个检查？）什么样的输入可以绕过这个？谢谢！

function sqli_filter($string) {
    $filtered_string = $string;
    $filtered_string = str_replace("--","",$filtered_string);
    $filtered_string = str_replace(";","",$filtered_string);
    $filtered_string = str_replace("/*","",$filtered_string);
    $filtered_string = str_replace("*/","",$filtered_string);
    $filtered_string = str_replace("//","",$filtered_string);
    $filtered_string = str_replace(" ","",$filtered_string);
    $filtered_string = str_replace("#","",$filtered_string);
    $filtered_string = str_replace("||","",$filtered_string);
    $filtered_string = str_replace("admin'","",$filtered_string);
    $filtered_string = str_replace("UNION","",$filtered_string);
    $filtered_string = str_replace("COLLATE","",$filtered_string);
    $filtered_string = str_replace("DROP","",$filtered_string);
    return $filtered_string;
}
function login($username, $password) {
    $escaped_username = $this->sqli_filter($username);
    // get the user's salt
    $sql = "SELECT salt FROM users WHERE eid='$escaped_username'";
    $result = $this->db->query($sql);
    $user = $result->next();
    // make sure the user exists
    if (!$user) {
        notify('User does not exist', -1);
        return false;
    }
    // verify the password hash
    $salt = $user['salt'];
    $hash = md5($salt.$password);
    error_log(print_r($escaped_username));
    $sql = "SELECT user_id, name, eid FROM users WHERE eid='$escaped_username' AND password='$hash'";